File tree 1 file changed +8
-0
lines changed
1 file changed +8
-0
lines changed Original file line number Diff line number Diff line change @@ -43,13 +43,21 @@ function simpleGet (opts, cb) {
4343 if ( opts . json ) opts . headers . accept = 'application/json'
4444 if ( opts . method ) opts . method = opts . method . toUpperCase ( )
4545
46+ const originalHost = opts . hostname // hostname before potential redirect
4647 const protocol = opts . protocol === 'https:' ? https : http // Support http/https urls
4748 const req = protocol . request ( opts , res => {
4849 if ( opts . followRedirects !== false && res . statusCode >= 300 && res . statusCode < 400 && res . headers . location ) {
4950 opts . url = res . headers . location // Follow 3xx redirects
5051 delete opts . headers . host // Discard `host` header on redirect (see #32)
5152 res . resume ( ) // Discard response
5253
54+ const redirectHost = url . parse ( opts . url ) . hostname // eslint-disable-line node/no-deprecated-api
55+ // If redirected host is different than original host, drop headers to prevent cookie leak (#73)
56+ if ( redirectHost !== null && redirectHost !== originalHost ) {
57+ delete opts . headers . cookie
58+ delete opts . headers . authorization
59+ }
60+
5361 if ( opts . method === 'POST' && [ 301 , 302 ] . includes ( res . statusCode ) ) {
5462 opts . method = 'GET' // On 301/302 redirect, change POST to GET (see #35)
5563 delete opts . headers [ 'content-length' ] ; delete opts . headers [ 'content-type' ]
You can’t perform that action at this time.
0 commit comments